LummaStealer dropped via fake updates from itch.io and Patreon

Dec. 21, 2025, 6:49 p.m.

Description

A malicious campaign targeting indie game platforms like Itch.io and Patreon has been discovered. Attackers are using newly created accounts to spam comments on legitimate games, claiming to offer game updates through Patreon links. These links lead to downloads containing LummaStealer malware. The malware uses multiple anti-analysis techniques, including checks for virtual machines, specific usernames, and processes associated with malware analysis. The payload is delivered through a nexe-compiled JavaScript file, which drops and loads a DLL containing the LummaStealer variant. Despite efforts to remove malicious accounts, new ones continue to appear, indicating an ongoing campaign.

External References

https://otx.alienvault.com/pulse/693709f04b22710487f819a0
https://www.gdatasoftware.com/blog/2025/12/38310-lumma-stealer-itchio-patreon
Tags
anti-analysis
lummastealer
fake updates
javascript obfuscation
2025-12-08
indie games
itch.io
nexe
patreon

Date

  • Created: Dec. 8, 2025, 5:25 p.m.
  • Published: Dec. 8, 2025, 5:25 p.m.
  • Modified: Dec. 21, 2025, 6:49 p.m.

Indicators

  • 102b99b00a60f33246bd89bd2b3cb9cfae2844d453484e932b3a5ca634fb308c
  • 1d405b03bc5913b6b43c06550ef0b9b02196b270625e4dc5fa0c37e8a424be25
  • a2bacb00dfdb338b496d3128705f76c8cc935e6bd33e06271fb3e34d769d0a2b
  • 80e538cabade94e1883f9e72bb608dc02f79808aec48136b5bbb00c2a1717f64
  • 79250523a057a7dd9a6080099c8c2f83eb683ab9b37ecab149fc73524f7c4bd1
Download all indicators here!

Attack Patterns

  • LummaStealer

Additional Informations

  • Entertainment industry